<packaging strong crypto inside weak crypto> At 01:06 PM 10/13/2002 -0400, Tyler Durden wrote: >Oh yeah. Interesting. Of course, this would be done only. >if the sender knew or supected how mass-scanning might be done. >And so the existence of another level of heavier encryption ... >might be a tip off that this is not simply a financial transaction.
Back when the Feds were trying to tell us that we should be patriotic loyal Americans and use weak crypto because it helps in the fight against Communism and other spies, they were making it clear that they *wanted* mass-scanning, and were busy lobbying Congress to give them money for it and also trying to get laws forcing phone companies to make things easy for them to do much higher volumes of scanning than the relatively limited amount they do now. Also, financial transactions are the ones that most need strong crypto, and have been most successful in getting permission to use it, because everybody understands that bank robbery is Bad, and credit card theft is Bad, and if banks and internet credit card transactions were forced to use weak crypto, Bad Guys could afford to build cracker machines on spec and pay for them with what they steal. This was especially the case after the EFF's DES cracker demonstrated that $250,000 was enough for a couple-day crack. But the Feds have been letting banks use DES for decades, and triple-DES for a while, and Netscape's inclusion of SSL in their browser was really the beginning of the end for the crypto bans, and a brave move on their part, especially since the difference between 40-bit and 128-bit RC4 is just how many of the bits you use in the key setup. (You may not remember, but there was a program from fortify.net that "fixed" 40-bit implementations of Netscape, and there was even a one-liner Javascript signature-line program that let you set Netscape to use 128 bits...